Metamorphic malware and polymorphic malware

Metamorphic and Polymorphic malware

Can you imagine that a piece of malware code, can change its shape and signature each time it appears, to make it extremely hard for signature based antivirus to detect them ?! This is called polymorphic malware and metamorphic malware.

In its annual threat report, security firm Sophos said that the majority of samples it observes are unique attacks associated with polymorphic and metamorphic malware.

Although the idea of mutating malware sounds quite scary, it’s actually been used by malicious hackers since the early 1990s but they are getting very advanced. Usually antivirus solutions use signatures to identify malware by comparing each file with their database of malware signatures. If the file under investigation has the a signature that looks like on of the signatures in their database, then it will detect the infection.

Crackers are getting smarter. When you visit a suspicious web site, you will get infected with a malware with a certain shape and signature. When another person visits the same site, he will get infected with the same malware but with different shape and signature. Each time someone downloads that malware, a new shape is generated for the same malware automatically. Actually refreshing that page will generate new shapes for the new malware !. This makes it so difficult for signature based antivirus solutions to handle.

Not only each download for the same malware will have different shape, the same malware on a certain machine will keep changing its shape to avoid detection. This is how sophisticated polymorphic and metamorphic malware can be

It is important to note that although the malware changed (“morphs”) its shape for each iteration and each download, the function that it performs remains the same (it is like it changes its appearance, but the bad code inside it still doing the same damage).

This is an example of malware (codenamed Shylock) that once appear with file name and description, and with time it appears as different file completely, changing by that its signature:

Metamorphic malware

This type of malware is completely rewritten with each iteration but still each version for each iteration functions the same way. The longer the malware stays in a computer, the more iterations and versions it will produce and the more sophisticated the iterations are.

The technologies used by metamorphic malware is so sophisticated and complex. Metamorphic malware is more difficult to detect than polymorphic malware. Some of the technologies used for such malware include register renaming, code permutation, code expansion, code shrinking and garbage code insertion.

Polymorphic malware

it is also a type of malware that changes its shape and signature. It has usually two parts, one of them changes its shape, while the other part remains the same, which makes it easier to detect than metamorphic malware.

Usually this type of malware consists of two parts :

Code that is used to decrypt and encrypt the other part (usually called VDR : virus decryption routine). This part does not change its shape.

When an infected application launches, the VDR decrypt the encrypted virus body (EVB) so it can execute and then re-encrypt it again. Usually the malware writer will use randomly generated encryption key to be used by the VDR so for each malware download, so that we will get completely different EVB encrypted virus body.

Other Posts you might like

Blog Post Notification

Be the first to get notification when key blog post articles are released. No marketing material.

You have Successfully Subscribed!

About The Author

Ammar is a digital transformer, cloud architect, public speaker and blogger.
He is considered a trusted advisory with the ability to quickly navigate complex multi-cultural organizations and continuously improve and motivate cross-functional teams to achieve higher productivity, collaboration, revenue gain and cross-group knowledge sharing.
His contributions to the tech community helped him get awarded the Microsoft Most Valuable Professional.
Ammar appears in a lot of global conferences, and he has many publications about digital transformation and next generation technologies.

62 Comments

Reblogged this on Remove Your Malware and commented:
An interesting and informative article about “Metamorphic” and “Polymorphic” Malware by Ammar Hasayen makes today’s reblog! If you want to see more articles like this, head to ammarhasayen.com! Or follow Remove Your Malware for similar posts!

Hi would you mind sharing which blog platform you’re using?
I’m planning to start my own blog in the near future but I’m having
a tough time choosing between BlogEngine/Wordpress/B2evolution and Drupal.
The reason I ask is because your design and style seems different then
most blogs and I’m looking for something
completely unique. P.S Apologies for being off-topic but I
had to ask!

Hi and sorry for late reply.
Well, i am using wordpress.com as it provides more professional platform for blogging.
Regarding the blog theme, wordpress.com provides many free and payed themes that you can pick from. You have just to be created i guess 🙂

My spouse and I stumbled over here coming from a different web page
and thought I might check things out. I like what I see so now i am following you.
Look forward to looking over your web page yet again.

Attractive section of content. I just stumbled upon your blog and in accession capital to assert
that I get actually enjoyed account your blog posts.
Anyway I will be subscribing to your feeds and even I achievement you access consistently quickly.

I have been browsing online more than 3 hours today, yet I never found any interesting
article like yours. It is pretty worth enough for me.
In my view, if all web owners and bloggers made good content as you did, the
web will be a lot more useful than ever before.

Howdy! Someone in my Myspace group shared this site with us so I
came to give it a look. I’m definitely enjoying the information.
I’m book-marking and will be tweeting this to my followers!
Terrific blog and brilliant design.

Hey! Someone in my Facebook group shared this site with
us so I came to take a look. I’m definitely enjoying the
information. I’m bookmarking and will be tweeting this to my followers!
Fantastic blog and amazing design and style.

I do believe all of the ideas you have introduced in your post.
They’re very convincing and can certainly work. Still, the posts are
very short for newbies. May you please extend
them a bit from next time? Thank you for the post.

Hi! Quick question that’s entirely off topic. Do you know how to make your site mobile friendly?
My website looks weird when browsing from my iphone 4.
I’m trying to find a template or plugin that might be able to fix this problem.
If you have any recommendations, please share.

I blog quite often and I truly appreciate your content.
Your article has really peaked my interest. I am
going to take a note of your blog and keep checking
for new details about once a week. I subscribed to your RSS feed as well.

Hi there are using WordPress for your site platform?
I’m new to the blog world but I’m trying to get started and create
my own. Do you require any coding knowledge to make your own blog?
Any help would be really appreciated!

Nice blog! Is your theme custom made or did you download it from somewhere?
A design like yours with a few simple adjustements would really make my blog stand out.
Please let me know where you got your theme. Many thanks

Oh my goodness! Incredible article dude! Thank you so much, However I am
encountering problems with your RSS. I don’t understand why I can’t join it.
Is there anyone else having the same RSS problems?
Anybody who knows the answer can you kindly respond? Thanx!!

Great post. I used to be checking continuously this blog and I’m inspired!
Extremely useful information particularly the final part :
) I handle such info a lot. I was looking for this particular info for a very lengthy time.
Thanks and good luck.

I have been browsing on-line more than 3 hours these days,
yet I by no means discovered any attention-grabbing article like
yours. It is beautiful worth sufficient for me.
In my view, if all site owners and bloggers made just right content material
as you did, the internet will likely be a lot more useful than ever before.

We’re a group of volunteers and starting a new scheme in our community.
Your website provided us with helpful info to work on. You have performed a formidable process and our whole group will be
grateful to you.

Hi just wanted to give you a quick heads up and let you know a few of the
images aren’t loading properly. I’m not sure why but I
think its a linking issue. I’ve tried it in two
different web browsers and both show the same results.

I’m very happy to find this website. I wanted to thank you for ones time
for this fantastic read!! I definitely liked every bit
of it and i also have you book marked to look at new information on your
web site.

Hey very nice web site!! Man .. Beautiful ..
Superb .. I’ll bookmark your site and take the feeds additionally?
I am happy to search out a lot of helpful information here
within the post, we want develop more strategies in this regard,
thank you for sharing. . . . . .